Security News > 2021 > December > Firmware attack can drop persistent malware in hidden SSD area
The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.
One attack modeled by researchers at Korea University in Seoul targets an invalid data area with non-erased information that sits between the usable SSD space and the over-provisioning area, and whose size depends on the two.
The research paper explains that a hacker can change the size of the OP area by using the firmware manager, thus generating exploitable invalid data space.
In a second attack model, the OP area is used as a secret place that users cannot monitor or wipe, where a threat actor could hide malware.
After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%. At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area.
As a defense against the first type of attack, the researchers propose SSD makers wipe the OP area with a pseudo-erase algorithm that would not affect real-time performance.
News URL
Related news
- NoName ransomware gang deploying RansomHub malware in recent attacks (source)
- Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users (source)
- Hackers deploy AI-written malware in targeted attacks (source)
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (source)
- New RomCom malware variant 'SnipBot' spotted in data theft attacks (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)